+++ /dev/null
-==== Build
-
-* Enabling large pcap may erroneously affect the number of packets processed
- from pcaps.
-
-* Enabling debug messages may erroneously affect the number of packets
- processed from pcaps.
-
-* Building with clang and autotools on Linux will show the following
- warning many times. Please ignore.
-
- clang: warning: argument unused during compilation: '-pthread'
-
-
-==== Config
-
-* Parsing issue with IP lists. can't parse rules with $EXTERNAL_NET
- defined as below because of the space between ! and 10.
-
- HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]
- EXTERNAL_NET = '! ' .. HOME_NET
-
-* Multiple versions of luajit scripts are not handled correctly. The
- first loaded version will always be executed even though plugin manager
- saves the correct version.
-
-* When using -c and -L together, the last on the command line wins (-c -L
- will dump; -L -c will analyze).
-
-* Modules instantiated by command line only will not get default settings
- unless hard-coded. This notably applies to -A and -L options.
-
-* --lua can only be used in addition to, not in place of, a -c config.
- Ideally, --lua could be used in lieu of -c.
-
-
-==== Rules
-
-* metdata:service foo; metadata:service foo; won't cause a duplicate service
- warning as does metadata:service foo, service foo;
-
-* ip_proto doesn't work properly with reassembled packets so it can't be
- used to restrict the protocol of service rules.
-
-
-==== snort2lua
-
-* uricontent:"foo"; content:"bar"; -> http_uri; content:"foo"; content:"bar";
- (missing pkt_data)
-
-* stream_tcp ports and protocols both go into a single binder.when; this is
- incorrect as the when fields are logically anded together (ie must all be
- true). Should create 2 separate bindings.
-
-* There is a bug in pps_stream_tcp.cc.. when stream_tcp: is specified
- without any arguments, snort2lua doesn't convert it. Same for
- stream_udp.
-
-* Loses the ip list delimiters [ ]; change to ( )
-
- in snort.conf: var HOME_NET [A,B,C]
- in snort.lua: HOME_NET = [[A B C]]
-
-* Won't convert packet rules (alert tcp etc.) to service rules (alert http
- etc.).
-
-* alert_fast and alert_full: output configuration includes "file =
- 'foo.bar'", but file is a bool and you cannot specify an output file name
- in the configuration.
-
-==== Runtime
-
-* -B <mask> feature does not work. It does ordinary IP address obfuscation
- instead of using the mask.
-
-* Obfuscation does not work for csv format.
-
-* The hext DAQ will append a newline to text lines (starting with '"').
-
-* The hext DAQ does not support embedded quotes in text lines (use hex
- lines as a workaround).
-
-* stream_tcp alert squash mechanism incorrectly squashes alerts for
- different TCP packets.
-
* nets and/or ports may be omitted from rule headers (matches any)
* parse all rules and output all errors before quitting
* read rules from conf, separate rules file, or stdin
+* The symbol =< in a byte test is recognized as a syntax error. The correct
+ symbol is \<=.
=== Output
value over gid:138 rules and was difficult to interpret the result of.
For more information, See Features > Sensitive Data Filtering for details.
+
+=== Features Not Yet Supported by Snort 3
+
+* Support in http_inspect for Original Client IP is limited to the
+ X-Forwarded-For and True-Client-IP headers in that order. It is not
+ possible to configure additional custom headers to search for Original
+ Client IP.
+
+* The -n option does not work properly when perf_monitor is configured. The
+ number of packets processed from the pcap is likely to be more than the
+ number specified with the -n option.
+
+* When a file is transferred via SMB2 it may be allowed even though
+ according to file policy it should be blocked. This occurs when the
+ create and read requests are sent together and then the read and create
+ responses are sent together. Blocking is done correctly if the create and
+ read requests are sent separately or if the file is large enough to
+ require two read responses.
+
+* This user manual is incomplete and does not fully cover many Snort 2.X
+ features that are also supported by Snort 3.
projects / thirdparty / snort3.git / commitdiff
